diff -Nru tomcat8-8.0.32/debian/changelog tomcat8-8.0.32/debian/changelog
--- tomcat8-8.0.32/debian/changelog	2016-07-06 11:50:04.000000000 +0000
+++ tomcat8-8.0.32/debian/changelog	2016-09-16 13:12:05.000000000 +0000
@@ -1,3 +1,12 @@
+tomcat8 (8.0.32-1ubuntu1.2) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: privilege escalation via insecure init script
+    - debian/tomcat8.init: don't follow symlinks when handling the
+      catalina.out file.
+    - CVE-2016-1240
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 16 Sep 2016 09:11:41 -0400
+
 tomcat8 (8.0.32-1ubuntu1.1) xenial-security; urgency=medium
 
   * SECURITY UPDATE: denial of service in FileUpload
diff -Nru tomcat8-8.0.32/debian/tomcat8.init tomcat8-8.0.32/debian/tomcat8.init
--- tomcat8-8.0.32/debian/tomcat8.init	2016-02-10 15:08:36.000000000 +0000
+++ tomcat8-8.0.32/debian/tomcat8.init	2016-09-16 13:12:32.000000000 +0000
@@ -171,8 +171,10 @@
 
 	# Run the catalina.sh script as a daemon
 	set +e
-	touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
-	chown $TOMCAT8_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
+	if [ ! -f "$CATALINA_BASE"/logs/catalina.out ]; then
+		install -o $TOMCAT8_USER -g adm -m 644 /dev/null "$CATALINA_BASE"/logs/catalina.out
+	fi
+	install -o $TOMCAT8_USER -g adm -m 644 /dev/null "$CATALINA_PID"
 	start-stop-daemon --start -b -u "$TOMCAT8_USER" -g "$TOMCAT8_GROUP" \
 		-c "$TOMCAT8_USER" -d "$CATALINA_TMPDIR" -p "$CATALINA_PID" \
 		-x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH"